rpms
/
certmonger
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import certmonger-0.79.17-1.el9

This commit is contained in:
CentOS Sources 2023-05-09 05:21:32 +00:00 committed by Stepan Oksanichenko
parent d4421c525b
commit 7eb0c1f035
14 changed files with 7 additions and 2281 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.certmonger.metadata
View File

@ -1 +1 @@
40c73b20ce99e2ffd521c5e6039ab4982ef363b6 SOURCES/certmonger-0.79.14.tar.gz
ab77485e556d96c5c2b885ee3d0f27794276dfee SOURCES/certmonger-0.79.17.tar.gz

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/certmonger-0.79.14.tar.gz
SOURCES/certmonger-0.79.17.tar.gz

573
SOURCES/0002-candidate-openssl-3.0-compat-fixes.patch
View File

@ -1,573 +0,0 @@
From 3fb9420e843694567a4976c6d5fbe4551d6e0c99 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 18 May 2021 15:40:53 -0400
Subject: [PATCH 1/3] candidate openssl 3.0 compat fixes
---
src/keyiread-o.c | 16 +++++--
src/util-o.c | 2 +
tests/001-keyiread-ec/run.sh | 2 +-
tests/001-keyiread-rsa/run.sh | 2 +-
tests/001-keyiread/run.sh | 2 +-
tests/002-keygen-sql/prequal.sh | 5 +++
tests/002-keygen/run.sh | 2 +-
tests/003-csrgen-ec/run.sh | 2 +-
tests/003-csrgen-rsa/run.sh | 2 +-
tests/003-csrgen/run.sh | 2 +-
tests/004-selfsign-ec/run.sh | 2 +-
tests/004-selfsign-rsa/run.sh | 2 +-
tests/004-selfsign/run.sh | 2 +-
tests/025-casave/run.sh | 2 +-
tests/026-local/expected.openssl1 | 73 ++++++++++++++++++++++++++++++
tests/026-local/expected.openssl3 | 68 ++++++++++++++++++++++++++++
tests/026-local/expected.out | 74 +------------------------------
tests/026-local/run.sh | 11 ++++-
tests/030-rekey/expected.out | 4 --
tests/030-rekey/run.sh | 10 +----
tests/036-getcert/run.sh | 2 +-
21 files changed, 184 insertions(+), 103 deletions(-)
create mode 100755 tests/002-keygen-sql/prequal.sh
create mode 100644 tests/026-local/expected.openssl1
create mode 100644 tests/026-local/expected.openssl3
diff --git a/src/keyiread-o.c b/src/keyiread-o.c
index 9fceacf6..51f7f829 100644
--- a/src/keyiread-o.c
+++ b/src/keyiread-o.c
@@ -182,9 +182,13 @@ cm_keyiread_o_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
pubikey = cm_store_hex_from_bin(NULL, tmp, length);
}
tmp = NULL;
- length = i2d_PublicKey(pkey, (unsigned char **) &tmp);
+ length = i2d_PublicKey(pkey, NULL);
if (length > 0) {
- pubkey = cm_store_hex_from_bin(NULL, tmp, length);
+ tmp = malloc(length);
+ if (tmp != NULL) {
+ length = i2d_PublicKey(pkey, (unsigned char **) &tmp);
+ pubkey = cm_store_hex_from_bin(NULL, tmp, length);
+ }
}
}
fprintf(fp, "%s/%d/%s/%s\n", alg, bits, pubikey, pubkey);
@@ -219,9 +223,13 @@ cm_keyiread_o_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry,
pubikey = cm_store_hex_from_bin(NULL, tmp, length);
}
tmp = NULL;
- length = i2d_PublicKey(nextpkey, (unsigned char **) &tmp);
+ length = i2d_PublicKey(nextpkey, NULL);
if (length > 0) {
- pubkey = cm_store_hex_from_bin(NULL, tmp, length);
+ tmp = malloc(length);
+ if (tmp != NULL) {
+ length = i2d_PublicKey(nextpkey, (unsigned char **) &tmp);
+ pubkey = cm_store_hex_from_bin(NULL, tmp, length);
+ }
}
fprintf(fp, "%s/%d/%s/%s\n", alg, bits, pubikey, pubkey);
} else {
diff --git a/src/util-o.c b/src/util-o.c
index 0415014a..2208ab64 100644
--- a/src/util-o.c
+++ b/src/util-o.c
@@ -46,6 +46,7 @@
void
util_o_init(void)
{
+#if OPENSSL_VERSION_MAJOR < 3
#if defined(HAVE_DECL_OPENSSL_ADD_ALL_ALGORITHMS) && HAVE_DECL_OPENSSL_ADD_ALL_ALGORITHMS
OpenSSL_add_all_algorithms();
#elif defined(HAVE_DECL_OPENSSL_ADD_SSL_ALGORITHMS) && HAVE_DECL_OPENSSL_ADD_SSL_ALGORITHMS
@@ -53,6 +54,7 @@ util_o_init(void)
#else
SSL_library_init();
#endif
+#endif
}
char *
diff --git a/tests/001-keyiread-ec/run.sh b/tests/001-keyiread-ec/run.sh
index 3045f6d0..8a810d15 100755
--- a/tests/001-keyiread-ec/run.sh
+++ b/tests/001-keyiread-ec/run.sh
@@ -18,7 +18,7 @@ for size in nistp256 nistp384 nistp521 ; do
EOF
$toolsdir/keyiread entry.nss.$size
# Export the key.
- if ! pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1 ; then
+ if ! pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1 ; then
echo Error exporting key for $size, continuing.
continue
fi
diff --git a/tests/001-keyiread-rsa/run.sh b/tests/001-keyiread-rsa/run.sh
index c6b4d38b..997ce000 100755
--- a/tests/001-keyiread-rsa/run.sh
+++ b/tests/001-keyiread-rsa/run.sh
@@ -11,7 +11,7 @@ for size in 2048 3072 4096 ; do
-s "cn=T$size" -c "cn=T$size" \
-x -t u -k rsa
# Export the key.
- pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
+ pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
openssl pkcs12 -in $size.p12 -out key.$size -passin pass: -nodes -nocerts > /dev/null 2>&1
cat > entry.openssl.$size <<- EOF
key_storage_type=FILE
diff --git a/tests/001-keyiread/run.sh b/tests/001-keyiread/run.sh
index 25acdbd8..3a2502a6 100755
--- a/tests/001-keyiread/run.sh
+++ b/tests/001-keyiread/run.sh
@@ -11,7 +11,7 @@ for size in 2048 3072 4096 ; do
-s "cn=T$size" -c "cn=T$size" \
-x -t u
# Export the key.
- pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
+ pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
openssl pkcs12 -in $size.p12 -out key.$size -passin pass: -nodes -nocerts > /dev/null 2>&1
cat > entry.openssl.$size <<- EOF
key_storage_type=FILE
diff --git a/tests/002-keygen-sql/prequal.sh b/tests/002-keygen-sql/prequal.sh
new file mode 100755
index 00000000..d146a650
--- /dev/null
+++ b/tests/002-keygen-sql/prequal.sh
@@ -0,0 +1,5 @@
+#!/bin/sh
+if test `id -u` -eq 0 ; then
+ echo "This test won't work right if run as root."
+ exit 1
+fi
diff --git a/tests/002-keygen/run.sh b/tests/002-keygen/run.sh
index 8bb609c5..e7e6525f 100755
--- a/tests/002-keygen/run.sh
+++ b/tests/002-keygen/run.sh
@@ -2,7 +2,7 @@
cd "$tmpdir"
-scheme="${scheme:-dbm:}"
+scheme="${scheme:-sql:}"
source "$srcdir"/functions
initnssdb "$scheme$tmpdir"
diff --git a/tests/003-csrgen-ec/run.sh b/tests/003-csrgen-ec/run.sh
index 91117ec8..408ea526 100755
--- a/tests/003-csrgen-ec/run.sh
+++ b/tests/003-csrgen-ec/run.sh
@@ -12,7 +12,7 @@ run_certutil -d "$tmpdir" -S -n keyi$size \
-s "cn=T$size" -c "cn=T$size" \
-x -t u -k ec -q $size
# Export the key.
-pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
+pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
openssl pkcs12 -in $size.p12 -out key.$size -passin pass: -nodes -nocerts > /dev/null 2>&1 | ( grep -v '^MAC verified OK$' || : )
# Read the public key and cache it.
cat > entry.openssl.$size <<- EOF
diff --git a/tests/003-csrgen-rsa/run.sh b/tests/003-csrgen-rsa/run.sh
index bb8ebecb..9c11c708 100755
--- a/tests/003-csrgen-rsa/run.sh
+++ b/tests/003-csrgen-rsa/run.sh
@@ -11,7 +11,7 @@ for size in 2048 3072 4096 ; do
-s "cn=T$size" -c "cn=T$size" \
-x -t u -k rsa
# Export the key.
- pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size"
+ pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size"
openssl pkcs12 -in $size.p12 -out key.$size -passin pass: -nodes -nocerts 2>&1 | ( grep -v '^MAC verified OK$' || : )
# Read the public key and cache it.
cat > entry.openssl.$size <<- EOF
diff --git a/tests/003-csrgen/run.sh b/tests/003-csrgen/run.sh
index d3dfbaf0..2a674679 100755
--- a/tests/003-csrgen/run.sh
+++ b/tests/003-csrgen/run.sh
@@ -11,7 +11,7 @@ for size in 2048 3072 4096 ; do
-s "cn=T$size" -c "cn=T$size" \
-x -t u
# Export the key.
- pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size"
+ pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size"
openssl pkcs12 -in $size.p12 -out key.$size -passin pass: -nodes -nocerts 2>&1 | ( grep -v "^MAC verified OK$" || : )
# Read the public key and cache it.
cat > entry.openssl.$size <<- EOF
diff --git a/tests/004-selfsign-ec/run.sh b/tests/004-selfsign-ec/run.sh
index 9d5bd11f..d1161fe5 100755
--- a/tests/004-selfsign-ec/run.sh
+++ b/tests/004-selfsign-ec/run.sh
@@ -39,7 +39,7 @@ run_certutil -d "$tmpdir" -S -n keyi$size \
-s "cn=T$size" -c "cn=T$size" \
-x -t u -k ec -q $size
# Export the certificate and key.
-pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
+pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
openssl pkcs12 -in $size.p12 -passin pass: -out key.$size -nodes > /dev/null 2>&1
# Read that OpenSSL key.
cat > entry.$size <<- EOF
diff --git a/tests/004-selfsign-rsa/run.sh b/tests/004-selfsign-rsa/run.sh
index c1dd4c80..b0cc71d2 100755
--- a/tests/004-selfsign-rsa/run.sh
+++ b/tests/004-selfsign-rsa/run.sh
@@ -39,7 +39,7 @@ for size in 2048 3072 4096 ; do
-s "cn=T$size" -c "cn=T$size" \
-x -t u -k rsa
# Export the certificate and key.
- pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
+ pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
openssl pkcs12 -in $size.p12 -passin pass: -out key.$size -nodes > /dev/null 2>&1
# Read that OpenSSL key.
cat > entry.$size <<- EOF
diff --git a/tests/004-selfsign/run.sh b/tests/004-selfsign/run.sh
index eb1df4ee..ea00f4d7 100755
--- a/tests/004-selfsign/run.sh
+++ b/tests/004-selfsign/run.sh
@@ -49,7 +49,7 @@ for size in 2048 3072 4096 ; do
-s "cn=T$size" -c "cn=T$size" \
-x -t u
# Export the certificate and key.
- pk12util -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
+ pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -o $size.p12 -W "" -n "keyi$size" > /dev/null 2>&1
openssl pkcs12 -in $size.p12 -passin pass: -out key.$size -nodes > /dev/null 2>&1
# Read that OpenSSL key.
cat > entry.$size <<- EOF
diff --git a/tests/025-casave/run.sh b/tests/025-casave/run.sh
index d81df82f..089d8223 100755
--- a/tests/025-casave/run.sh
+++ b/tests/025-casave/run.sh
@@ -2,7 +2,7 @@
cd $tmpdir
-scheme="${scheme:-dbm}"
+scheme="${scheme:-sql}"
cat > $tmpdir/entrycb1 <<- EOF
id=EntryCB1
ca_name=CAB1
diff --git a/tests/026-local/expected.openssl1 b/tests/026-local/expected.openssl1
new file mode 100644
index 00000000..1f81c7ce
--- /dev/null
+++ b/tests/026-local/expected.openssl1
@@ -0,0 +1,73 @@
+[key]
+OK.
+[csr]
+Certificate Request:
+ Data:
+ Version: 1 (0x0)
+ Subject: CN=Babs Jensen's Signer
+ Attributes:
+ friendlyName :unable to print attribute
+ Requested Extensions:
+ X509v3 Key Usage:
+ Digital Signature, Certificate Sign, CRL Sign
+ X509v3 Subject Alternative Name:
+ email:root@localhost, email:root@localhost.localdomain
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Authority Key Identifier:
+ keyid:(160 bits)
+
+ X509v3 Subject Key Identifier:
+ (160 bits)
+ Authority Information Access:
+ OCSP - URI:http://ocsp-1.example.com:12345
+ OCSP - URI:http://ocsp-2.example.com:12345
+
+ OCSP No Check:
+
+[issue]
+[issuer]
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=Local Signing Authority, CN=$UUID
+ Subject: CN=Local Signing Authority, CN=$UUID
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ (160 bits)
+ X509v3 Authority Key Identifier:
+ keyid:(160 bits)
+
+ X509v3 Key Usage: critical
+ Digital Signature, Certificate Sign, CRL Sign
+[subject]
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=Local Signing Authority, CN=$UUID
+ Subject: CN=Babs Jensen's Signer
+ X509v3 extensions:
+ X509v3 Key Usage:
+ Digital Signature, Certificate Sign, CRL Sign
+ X509v3 Subject Alternative Name:
+ email:root@localhost, email:root@localhost.localdomain
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Authority Key Identifier:
+ keyid:(160 bits)
+
+ X509v3 Subject Key Identifier:
+ (160 bits)
+ Authority Information Access:
+ OCSP - URI:http://ocsp-1.example.com:12345
+ OCSP - URI:http://ocsp-2.example.com:12345
+
+ OCSP No Check:
+
+[verify]
+cert: OK
+OK.
diff --git a/tests/026-local/expected.openssl3 b/tests/026-local/expected.openssl3
new file mode 100644
index 00000000..05666ccc
--- /dev/null
+++ b/tests/026-local/expected.openssl3
@@ -0,0 +1,68 @@
+[key]
+OK.
+[csr]
+Certificate Request:
+ Data:
+ Version: 1 (0x0)
+ Subject: CN=Babs Jensen's Signer
+ Attributes:
+ friendlyName :unable to print attribute
+ Requested Extensions:
+ X509v3 Key Usage:
+ Digital Signature, Certificate Sign, CRL Sign
+ X509v3 Subject Alternative Name:
+ email:root@localhost, email:root@localhost.localdomain
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Authority Key Identifier:
+ (160 bits)
+ X509v3 Subject Key Identifier:
+ (160 bits)
+ Authority Information Access:
+ OCSP - URI:http://ocsp-1.example.com:12345
+ OCSP - URI:http://ocsp-2.example.com:12345
+ OCSP No Check:
+
+[issue]
+[issuer]
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=Local Signing Authority, CN=$UUID
+ Subject: CN=Local Signing Authority, CN=$UUID
+ X509v3 extensions:
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ (160 bits)
+ X509v3 Authority Key Identifier:
+ (160 bits)
+ X509v3 Key Usage: critical
+ Digital Signature, Certificate Sign, CRL Sign
+[subject]
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: CN=Local Signing Authority, CN=$UUID
+ Subject: CN=Babs Jensen's Signer
+ X509v3 extensions:
+ X509v3 Key Usage:
+ Digital Signature, Certificate Sign, CRL Sign
+ X509v3 Subject Alternative Name:
+ email:root@localhost, email:root@localhost.localdomain
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ X509v3 Authority Key Identifier:
+ (160 bits)
+ X509v3 Subject Key Identifier:
+ (160 bits)
+ Authority Information Access:
+ OCSP - URI:http://ocsp-1.example.com:12345
+ OCSP - URI:http://ocsp-2.example.com:12345
+ OCSP No Check:
+
+[verify]
+cert: OK
+OK.
diff --git a/tests/026-local/expected.out b/tests/026-local/expected.out
index 1f81c7ce..64afb8f5 100644
--- a/tests/026-local/expected.out
+++ b/tests/026-local/expected.out
@@ -1,73 +1 @@
-[key]
-OK.
-[csr]
-Certificate Request:
- Data:
- Version: 1 (0x0)
- Subject: CN=Babs Jensen's Signer
- Attributes:
- friendlyName :unable to print attribute
- Requested Extensions:
- X509v3 Key Usage:
- Digital Signature, Certificate Sign, CRL Sign
- X509v3 Subject Alternative Name:
- email:root@localhost, email:root@localhost.localdomain
- X509v3 Basic Constraints: critical
- CA:TRUE
- X509v3 Authority Key Identifier:
- keyid:(160 bits)
-
- X509v3 Subject Key Identifier:
- (160 bits)
- Authority Information Access:
- OCSP - URI:http://ocsp-1.example.com:12345
- OCSP - URI:http://ocsp-2.example.com:12345
-
- OCSP No Check:
-
-[issue]
-[issuer]
-Certificate:
- Data:
- Version: 3 (0x2)
- Signature Algorithm: sha256WithRSAEncryption
- Issuer: CN=Local Signing Authority, CN=$UUID
- Subject: CN=Local Signing Authority, CN=$UUID
- X509v3 extensions:
- X509v3 Basic Constraints: critical
- CA:TRUE
- X509v3 Subject Key Identifier:
- (160 bits)
- X509v3 Authority Key Identifier:
- keyid:(160 bits)
-
- X509v3 Key Usage: critical
- Digital Signature, Certificate Sign, CRL Sign
-[subject]
-Certificate:
- Data:
- Version: 3 (0x2)
- Signature Algorithm: sha256WithRSAEncryption
- Issuer: CN=Local Signing Authority, CN=$UUID
- Subject: CN=Babs Jensen's Signer
- X509v3 extensions:
- X509v3 Key Usage:
- Digital Signature, Certificate Sign, CRL Sign
- X509v3 Subject Alternative Name:
- email:root@localhost, email:root@localhost.localdomain
- X509v3 Basic Constraints: critical
- CA:TRUE
- X509v3 Authority Key Identifier:
- keyid:(160 bits)
-
- X509v3 Subject Key Identifier:
- (160 bits)
- Authority Information Access:
- OCSP - URI:http://ocsp-1.example.com:12345
- OCSP - URI:http://ocsp-2.example.com:12345
-
- OCSP No Check:
-
-[verify]
-cert: OK
-OK.
+# purposely empty
diff --git a/tests/026-local/run.sh b/tests/026-local/run.sh
index 6f0e74c9..3e7ade56 100755
--- a/tests/026-local/run.sh
+++ b/tests/026-local/run.sh
@@ -1,4 +1,13 @@
-#!/bin/bash -e
+#!/bin/bash
+
+openssl cmp -h > /dev/null 2>&1
+if [ $? == 1 ]; then
+ cp expected.openssl1 expected.out
+else
+ cp expected.openssl3 expected.out
+fi
+
+set -e
cd $tmpdir
diff --git a/tests/030-rekey/expected.out b/tests/030-rekey/expected.out
index e9a04221..8a9ac3fa 100644
--- a/tests/030-rekey/expected.out
+++ b/tests/030-rekey/expected.out
@@ -11,7 +11,6 @@ key_requested_count=0
(submit OpenSSL)
key_issued_count=0
key_requested_count=1
-First round certificates OK.
NSS keys before re-keygen (preserve=1,pin=""):
<-> rsa originalhex NSS Certificate DB:i2048
key_issued_count=0
@@ -98,7 +97,6 @@ key_requested_count=0
(submit OpenSSL)
key_issued_count=0
key_requested_count=1
-First round certificates OK.
NSS keys before re-keygen (preserve=1,pin="password"):
<-> rsa originalhex NSS Certificate DB:i2048
key_issued_count=0
@@ -185,7 +183,6 @@ key_requested_count=0
(submit OpenSSL)
key_issued_count=0
key_requested_count=1
-First round certificates OK.
NSS keys before re-keygen (preserve=0,pin=""):
<-> rsa originalhex NSS Certificate DB:i2048
key_issued_count=0
@@ -270,7 +267,6 @@ key_requested_count=0
(submit OpenSSL)
key_issued_count=0
key_requested_count=1
-First round certificates OK.
NSS keys before re-keygen (preserve=0,pin="password"):
<-> rsa originalhex NSS Certificate DB:i2048
key_issued_count=0
diff --git a/tests/030-rekey/run.sh b/tests/030-rekey/run.sh
index 07fea683..7b9125ec 100755
--- a/tests/030-rekey/run.sh
+++ b/tests/030-rekey/run.sh
@@ -31,7 +31,7 @@ for preserve in 1 0 ; do
-s "cn=T$size" -c "cn=T$size" \
-x -t u -m 4660 -f pinfile
# Export the certificate and key.
- pk12util -d "$tmpdir" -k pinfile -o $size.p12 -W "" -n "i$size" > /dev/null 2>&1
+ pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir" -k pinfile -o $size.p12 -W "" -n "i$size" > /dev/null 2>&1
openssl pkcs12 -in $size.p12 -passin pass: -nocerts -passout pass:${pin:- -nodes} | awk '/^-----BEGIN/,/^-----END/{print}' > keyi$size
openssl pkcs12 -in $size.p12 -passin pass: -nokeys -nodes | awk '/^-----BEGIN/,/^-----END/{print}' > certi$size
# Grab a copy of the public key.
@@ -101,14 +101,6 @@ for preserve in 1 0 ; do
echo '(submit OpenSSL)'
$toolsdir/submit ca.self entry.openssl.$size > cert.openssl.$size
grep ^key.\*count= entry.openssl.$size | LANG=C sort
- # Now compare the self-signed certificates built from the keys.
- if ! cmp cert.nss.$size cert.openssl.$size ; then
- echo First round certificates differ:
- cat cert.nss.$size cert.openssl.$size
- exit 1
- else
- echo First round certificates OK.
- fi
# Now generate new keys, CSRs, and certificates (NSS).
echo "NSS keys before re-keygen (preserve=$preserve,pin=\"$pin\"):"
diff --git a/tests/036-getcert/run.sh b/tests/036-getcert/run.sh
index 1c99803d..bcb821d7 100755
--- a/tests/036-getcert/run.sh
+++ b/tests/036-getcert/run.sh
@@ -51,7 +51,7 @@ listdb() {
}
extract() {
- pk12util -d "$tmpdir"/db -n first -o "$tmpdir"/files/p12 -W "" -K ""
+ pk12util -C AES-128-CBC -c AES-128-CBC -d "$tmpdir"/db -n first -o "$tmpdir"/files/p12 -W "" -K ""
openssl pkcs12 -nokeys -nomacver -in "$tmpdir"/files/p12 -passin pass: -nodes | awk '/BEGIN/,/END/{print}' > "$1"/cert
openssl pkcs12 -nocerts -nomacver -in "$tmpdir"/files/p12 -passin pass: -nodes | awk '/BEGIN/,/END/{print}' > "$1"/key
echo -n cert:
--
2.26.3

46
SOURCES/0004-Add-compile-check-for-EVP_PKEY_get_id-along-with-EVP.patch
View File

@ -1,46 +0,0 @@
From f6672effea3cf9e50d6d3f29c1fbfbf6b1578e06 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 28 Sep 2021 10:01:35 -0400
Subject: [PATCH] Add compile check for EVP_PKEY_get_id along with EVP_PKEY_id
EVP_PKEY_id is no longer available as a function, only as a preprocessor
macro, so AC_CHECK_FUNCS cannot recognize it.
This was changed in OpenSSL 3.0.0-beta2
https://bugzilla.redhat.com/show_bug.cgi?id=2008451
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
---
configure.ac | 1 +
src/util-o.c | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/configure.ac b/configure.ac
index 8bfa3fa..3b413a1 100644
--- a/configure.ac
+++ b/configure.ac
@@ -374,6 +374,7 @@ if ! ${configure_dist_target_only:-false} ; then
AC_CHECK_FUNCS(ASN1_TIME_set)
AC_CHECK_FUNCS(EVP_PKEY_base_id)
AC_CHECK_FUNCS(EVP_PKEY_id)
+ AC_CHECK_FUNCS(EVP_PKEY_get_id)
AC_CHECK_FUNCS(OBJ_get0_data)
AC_CHECK_FUNCS(OBJ_length)
AC_CHECK_FUNCS(X509_ATTRIBUTE_get0_object)
diff --git a/src/util-o.c b/src/util-o.c
index 2208ab6..db45964 100644
--- a/src/util-o.c
+++ b/src/util-o.c
@@ -329,7 +329,7 @@ util_ASN1_TIME_set(ASN1_TIME *str, time_t t)
int
util_EVP_PKEY_id(const EVP_PKEY *pkey)
{
-#ifdef HAVE_EVP_PKEY_ID
+#if defined(HAVE_EVP_PKEY_ID) || defined(HAVE_EVP_PKEY_GET_ID)
return EVP_PKEY_id(pkey);
#else
return pkey->type;
--
2.31.1

123
SOURCES/0005-Add-SCEP-config-option-to-treat-the-challenge-passwo.patch
View File

@ -1,123 +0,0 @@
From b38981c6e140ada6dd34bc817c508e8dd9714494 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Fri, 9 Jul 2021 20:49:28 +0000
Subject: [PATCH] Add SCEP config option to treat the challenge password as an
OTP
SCEP RFC 8894 specifies that a challenge password SHOULD be
removed from subsequent requests but that it MAY be included.
This adds a new configuration option to treat the challenge password
as a one-time password (OTP) so that it will not be sent on
subsequent requests, like renewals, by removing it completely
from the tracking request.
This allows certmonger to be able to renew AD-issued SCEP certificates
if the AD registry entry DisableRenewalSubjectNameMatch is set to 1.
https://bugzilla.redhat.com/show_bug.cgi?id=1577570
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
---
src/certmonger.conf.5.in | 9 +++++++++
src/certsave.c | 13 +++++++++++++
src/prefs.c | 15 +++++++++++++++
src/prefs.h | 4 ++++
4 files changed, 41 insertions(+)
diff --git a/src/certmonger.conf.5.in b/src/certmonger.conf.5.in
index 6a42d3cb..1b941b9d 100644
--- a/src/certmonger.conf.5.in
+++ b/src/certmonger.conf.5.in
@@ -126,6 +126,15 @@ If not set, the value of the \fIvalidity_period\fR setting from the
\fIselfsign\fR section, if one is set there, will be used. The default value
is \fI@CM_DEFAULT_CERT_LIFETIME@\fR.
+.SH SCEP
+Within the \fIscep\fR section, these variables and values are recognized:
+
+.IP challenge_password_otp
+This controls whether the SCEP challenge password is treated as a one-time
+password. If set to yes then the challenge password and/or challenge password
+file will be removed from the tracking request after the first certificate
+issuance so will not be sent with renewal requests. The default is no.
+
.SH BUGS
Please file tickets for any that you find at https://fedorahosted.org/certmonger/
diff --git a/src/certsave.c b/src/certsave.c
index 6eaafe59..f8503662 100644
--- a/src/certsave.c
+++ b/src/certsave.c
@@ -18,12 +18,25 @@
#include "config.h"
#include "certsave.h"
#include "certsave-int.h"
+#include "prefs.h"
#include "store-int.h"
+#include "talloc.h"
/* Start writing the certificate from the entry to the configured location. */
struct cm_certsave_state *
cm_certsave_start(struct cm_store_entry *entry)
{
+ /* If saving a SCEP certificate wipe out the challenge password */
+ if ((cm_prefs_scep_password_otp()) &&
+ (entry->cm_template_challenge_password != NULL) &&
+ (entry->cm_scep_nonce != NULL))
+ {
+ talloc_free(entry->cm_template_challenge_password);
+ entry->cm_template_challenge_password = NULL;
+ talloc_free(entry->cm_template_challenge_password_file);
+ entry->cm_template_challenge_password_file = NULL;
+ }
+
switch (entry->cm_cert_storage_type) {
#ifdef HAVE_OPENSSL
case cm_cert_storage_file:
diff --git a/src/prefs.c b/src/prefs.c
index 669e8f1f..52ffc908 100644
--- a/src/prefs.c
+++ b/src/prefs.c
@@ -595,3 +595,18 @@ prefs_max_key_use_count(void)
}
return count;
}
+
+int
+cm_prefs_scep_password_otp(void)
+{
+ static int populate = -1;
+ if (populate == -1) {
+ const char *val;
+ val = cm_prefs_config("scep", "challenge_password_otp");
+ if (val == NULL) {
+ val = "no";
+ }
+ populate = cm_prefs_yesno(val);
+ }
+ return populate != -1 ? populate : 0;
+}
diff --git a/src/prefs.h b/src/prefs.h
index 248e1016..a107fb6c 100644
--- a/src/prefs.h
+++ b/src/prefs.h
@@ -18,6 +18,8 @@
#ifndef cmprefs_h
#define cmprefs_h
+#include <time.h>
+
enum cm_prefs_cipher {
cm_prefs_aes128,
cm_prefs_aes192,
@@ -73,4 +75,6 @@ const char *cm_prefs_dogtag_sslpinfile(void);
long long prefs_key_end_of_life(time_t ref);
long prefs_max_key_use_count(void);
+int cm_prefs_scep_password_otp(void);
+
#endif
--
2.31.1

37
SOURCES/0006-Fix-file-descriptor-leak-when-executing-CA-helpers.patch
View File

@ -1,37 +0,0 @@
From b4c090d2e12956a2df6157592839936adf4024f4 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 12 Aug 2021 16:26:09 -0400
Subject: [PATCH] Fix file descriptor leak when executing CA helpers
cm_cadata_start_generic() creates a pipe. One half is passed
to fetch(), the function that does all helper calls,
via the cm_cadata_state variable ret. The other half is the
reader and is used to detect execution errors. There is a pair
of write/read on this descriptor which on error would be the
errno.
This second half wasn't being closed after reading to test for
errors.
https://bugzilla.redhat.com/show_bug.cgi?id=1992439
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
---
src/cadata.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/cadata.c b/src/cadata.c
index cb9c13e2..c2764d3b 100644
--- a/src/cadata.c
+++ b/src/cadata.c
@@ -773,6 +773,7 @@ cm_cadata_start_generic(struct cm_store_ca *ca, const char *op,
ca->cm_ca_external_helper, strerror(u));
/* return the state so the process can be reaped */
}
+ close(error_fd[0]);
return ret;
}
--
2.31.1

80
SOURCES/0007-Update-csrgen-test-to-understand-OpenSSL-3.0.0-outpu.patch
View File

@ -1,80 +0,0 @@
From 46cd5a7d9434ed104093152bdf0a55404e6a1c6b Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 5 Oct 2021 11:04:10 -0400
Subject: [PATCH] Update csrgen test to understand OpenSSL 3.0.0 output
OpenSSL 3.0.0 change a lot of output messages. When verifying
a certificate instead of printing just "verify OK" it prints
"Certificate request self-signature verify OK"
Modify the check to match both OpenSSL 1.x and 3.x
Related: https://pagure.io/certmonger/issue/223
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
---
tests/003-csrgen-ec/run.sh | 4 ++--
tests/003-csrgen-rsa/run.sh | 4 ++--
tests/003-csrgen/run.sh | 4 ++--
3 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/tests/003-csrgen-ec/run.sh b/tests/003-csrgen-ec/run.sh
index 91117ec8..7c0505f8 100755
--- a/tests/003-csrgen-ec/run.sh
+++ b/tests/003-csrgen-ec/run.sh
@@ -42,8 +42,8 @@ grep ^minicert= entry.nss.$size | sed s,^minicert=,, | base64 -d > minicert.nss.
openssl x509 -out minicert.nss.$size.pem -in minicert.nss.$size -inform der
# The RSA tests already verify the contents of the requests, so we really only
# need to care about the signatures passing verification.
-openssl req -verify -noout < csr.nss.$size 2>&1
-openssl req -verify -noout < csr.openssl.$size 2>&1
+openssl req -verify -noout -noenc < csr.nss.$size 2>&1 | sed 's/Certificate request self-signature //'
+openssl req -verify -noout -noenc < csr.openssl.$size 2>&1 | sed 's/Certificate request self-signature //'
openssl spkac -verify -noout < spkac.nss.$size 2>&1
openssl spkac -verify -noout < spkac.openssl.$size 2>&1
openssl verify -CAfile minicert.openssl.$size.pem minicert.openssl.$size.pem 2>&1
diff --git a/tests/003-csrgen-rsa/run.sh b/tests/003-csrgen-rsa/run.sh
index bb8ebecb..4f0c0ef0 100755
--- a/tests/003-csrgen-rsa/run.sh
+++ b/tests/003-csrgen-rsa/run.sh
@@ -118,14 +118,14 @@ iterate() {
echo key_pubkey=616263 >> entry.openssl.$size
$toolsdir/csrgen entry.nss.$size > csr.nss.$size
# Both should verify.
- if test "`openssl req -verify -key key.$size -in csr.openssl.$size -noout 2>&1`" != "verify OK" ; then
+ if test "`openssl req -verify -key key.$size -in csr.openssl.$size -noout -noenc 2>&1 | grep -c "verify OK"`" != "1" ; then
echo Signature failed for OpenSSL:
cat csr.openssl.$size
echo Private key:
awk '/BEGIN PRIVATE KEY/,/END PRIVATE KEY/{print}{;}' $tmpdir/key.$size
exit 1
fi
- if test "`openssl req -verify -key key.$size -in csr.nss.$size -noout 2>&1`" != "verify OK" ; then
+ if test "`openssl req -verify -key key.$size -in csr.nss.$size -noout -noenc 2>&1 | grep -c "verify OK"`" != "1" ; then
echo Signature failed for NSS:
cat csr.nss.$size
echo Private key:
diff --git a/tests/003-csrgen/run.sh b/tests/003-csrgen/run.sh
index d3dfbaf0..093beabf 100755
--- a/tests/003-csrgen/run.sh
+++ b/tests/003-csrgen/run.sh
@@ -170,14 +170,14 @@ iterate() {
echo key_pubkey=616263 >> entry.openssl.$size
$toolsdir/csrgen entry.nss.$size > csr.nss.$size
# Both should verify.
- if test "`openssl req -verify -key key.$size -in csr.openssl.$size -noout 2>&1`" != "verify OK" ; then
+ if test "`openssl req -verify -key key.$size -in csr.openssl.$size -noout -noenc 2>&1 | grep -c "verify OK"`" != "1" ; then
echo Signature failed for OpenSSL:
cat csr.openssl.$size
echo Private key:
awk '/BEGIN PRIVATE KEY/,/END PRIVATE KEY/{print}{;}' $tmpdir/key.$size
exit 1
fi
- if test "`openssl req -verify -key key.$size -in csr.nss.$size -noout 2>&1`" != "verify OK" ; then
+ if test "`openssl req -verify -key key.$size -in csr.nss.$size -noout -noenc 2>&1 | grep -c "verify OK"`" != "1" ; then
echo Signature failed for NSS:
cat csr.nss.$size
echo Private key:
--
2.31.1

280
SOURCES/0008-Use-implicit-empty-FALSE-for-extensions.patch
View File

@ -1,280 +0,0 @@
From e3e4679693efc60bc7a25983909ddfa6883ab2ec Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Mon, 4 Oct 2021 18:52:53 +0200
Subject: [PATCH] Use implicit, empty FALSE for extensions
Cemplate had a bug that caused certmonger to create CSRs with invalid DER.
It was encoding extension's critical element even for default value FALSE.
Fixes: https://pagure.io/certmonger/issue/223
Signed-off-by: Christian Heimes <cheimes@redhat.com>
---
src/certext.c | 7 +-
tests/003-csrgen-rsa/expected.out | 82 ++++++++++------------
tests/003-csrgen/expected.out | 110 +++++++++++++-----------------
3 files changed, 91 insertions(+), 108 deletions(-)
diff --git a/src/certext.c b/src/certext.c
index 0d66971e..e5e0b4dc 100644
--- a/src/certext.c
+++ b/src/certext.c
@@ -1706,9 +1706,12 @@ cm_certext_build_csr_extensions(struct cm_store_entry *entry,
CERTCertExtension ext[13], *exts[14], **exts_ptr;
SECOidData *oid;
SECItem *item, encoded;
+ /* X509v3 extension's critical element has an implicit default,
+ * see https://pagure.io/certmonger/issue/223
+ */
SECItem der_false = {
- .len = 1,
- .data = (unsigned char *) "\000",
+ .len = 0,
+ .data = NULL,
};
SECItem der_true = {
.len = 1,
diff --git a/tests/003-csrgen-rsa/expected.out b/tests/003-csrgen-rsa/expected.out
index def53fe4..0fb88323 100644
--- a/tests/003-csrgen-rsa/expected.out
+++ b/tests/003-csrgen-rsa/expected.out
@@ -8,8 +8,8 @@ pk12util: PKCS12 EXPORT SUCCESSFUL
4096 OK.
Signature OK
The last CSR (the one with everything) was:
- 0:d=0 hl=4 l=1413 cons: SEQUENCE
- 4:d=1 hl=4 l=1133 cons: SEQUENCE
+ 0:d=0 hl=4 l=1389 cons: SEQUENCE
+ 4:d=1 hl=4 l=1109 cons: SEQUENCE
8:d=2 hl=2 l= 1 prim: INTEGER :00
11:d=2 hl=2 l= 22 cons: SEQUENCE
13:d=3 hl=2 l= 20 cons: SET
@@ -21,7 +21,7 @@ The last CSR (the one with everything) was:
41:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption
52:d=4 hl=2 l= 0 prim: NULL
54:d=3 hl=4 l= 271 prim: BIT STRING
- 329:d=2 hl=4 l= 808 cons: cont [ 0 ]
+ 329:d=2 hl=4 l= 784 cons: cont [ 0 ]
333:d=3 hl=2 l= 52 cons: SEQUENCE
335:d=4 hl=2 l= 9 prim: OBJECT :challengePassword
346:d=4 hl=2 l= 39 cons: SET
@@ -30,48 +30,40 @@ The last CSR (the one with everything) was:
389:d=4 hl=2 l= 9 prim: OBJECT :friendlyName
400:d=4 hl=2 l= 48 cons: SET
402:d=5 hl=2 l= 46 prim: BMPSTRING
- 450:d=3 hl=4 l= 687 cons: SEQUENCE
+ 450:d=3 hl=4 l= 663 cons: SEQUENCE
454:d=4 hl=2 l= 9 prim: OBJECT :Extension Request
- 465:d=4 hl=4 l= 672 cons: SET
- 469:d=5 hl=4 l= 668 cons: SEQUENCE
- 473:d=6 hl=2 l= 14 cons: SEQUENCE
+ 465:d=4 hl=4 l= 648 cons: SET
+ 469:d=5 hl=4 l= 644 cons: SEQUENCE
+ 473:d=6 hl=2 l= 11 cons: SEQUENCE
475:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage
- 480:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 483:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205E0
- 489:d=6 hl=4 l= 264 cons: SEQUENCE
- 493:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Alternative Name
- 498:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 501:d=7 hl=3 l= 253 prim: OCTET STRING [HEX DUMP]:3081FA82096C6F63616C686F737482156C6F63616C686F73742E6C6F63616C646F6D61696E810E726F6F74406C6F63616C686F7374811A726F6F74406C6F63616C686F73742E6C6F63616C646F6D61696EA020060A2B060104018237140203A0120C10726F6F74404558414D504C452E434F4DA02E06062B0601050202A0243022A00D1B0B4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74A024060A2B060104018237140203A0160C14726F6F7440464F4F2E4558414D504C452E434F4DA03206062B0601050202A0283026A0111B0F464F4F2E4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74
- 757:d=6 hl=2 l= 32 cons: SEQUENCE
- 759:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Extended Key Usage
- 764:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 767:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:301406082B0601050507030206082B06010505070304
- 791:d=6 hl=2 l= 18 cons: SEQUENCE
- 793:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints
- 798:d=7 hl=2 l= 1 prim: BOOLEAN :255
- 801:d=7 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:30060101FF020103
- 811:d=6 hl=2 l= 34 cons: SEQUENCE
- 813:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier
- 818:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 821:d=7 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:30168014A9993E364706816ABA3E25717850C26C9CD0D89D
- 847:d=6 hl=2 l= 32 cons: SEQUENCE
- 849:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier
- 854:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 857:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:0414A9993E364706816ABA3E25717850C26C9CD0D89D
- 881:d=6 hl=2 l= 107 cons: SEQUENCE
- 883:d=7 hl=2 l= 8 prim: OBJECT :Authority Information Access
- 893:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 896:d=7 hl=2 l= 92 prim: OCTET STRING [HEX DUMP]:305A302B06082B06010505073001861F687474703A2F2F6F6373702D312E6578616D706C652E636F6D3A3132333435302B06082B06010505073001861F687474703A2F2F6F6373702D322E6578616D706C652E636F6D3A3132333435
- 990:d=6 hl=2 l= 96 cons: SEQUENCE
- 992:d=7 hl=2 l= 3 prim: OBJECT :X509v3 CRL Distribution Points
- 997:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 1000:d=7 hl=2 l= 86 prim: OCTET STRING [HEX DUMP]:30543028A026A0248622687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F6765743028A026A0248622687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F676574
- 1088:d=6 hl=2 l= 51 cons: SEQUENCE
- 1090:d=7 hl=2 l= 9 prim: OBJECT :Netscape Comment
- 1101:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 1104:d=7 hl=2 l= 35 prim: OCTET STRING [HEX DUMP]:1621636572746D6F6E6765722067656E65726174656420746869732072657175657374
- 1141:d=1 hl=2 l= 13 cons: SEQUENCE
- 1143:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
- 1154:d=2 hl=2 l= 0 prim: NULL
- 1156:d=1 hl=4 l= 257 prim: BIT STRING
+ 480:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205E0
+ 486:d=6 hl=4 l= 261 cons: SEQUENCE
+ 490:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Alternative Name
+ 495:d=7 hl=3 l= 253 prim: OCTET STRING [HEX DUMP]:3081FA82096C6F63616C686F737482156C6F63616C686F73742E6C6F63616C646F6D61696E810E726F6F74406C6F63616C686F7374811A726F6F74406C6F63616C686F73742E6C6F63616C646F6D61696EA020060A2B060104018237140203A0120C10726F6F74404558414D504C452E434F4DA02E06062B0601050202A0243022A00D1B0B4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74A024060A2B060104018237140203A0160C14726F6F7440464F4F2E4558414D504C452E434F4DA03206062B0601050202A0283026A0111B0F464F4F2E4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74
+ 751:d=6 hl=2 l= 29 cons: SEQUENCE
+ 753:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Extended Key Usage
+ 758:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:301406082B0601050507030206082B06010505070304
+ 782:d=6 hl=2 l= 18 cons: SEQUENCE
+ 784:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints
+ 789:d=7 hl=2 l= 1 prim: BOOLEAN :255
+ 792:d=7 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:30060101FF020103
+ 802:d=6 hl=2 l= 31 cons: SEQUENCE
+ 804:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier
+ 809:d=7 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:30168014A9993E364706816ABA3E25717850C26C9CD0D89D
+ 835:d=6 hl=2 l= 29 cons: SEQUENCE
+ 837:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier
+ 842:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:0414A9993E364706816ABA3E25717850C26C9CD0D89D
+ 866:d=6 hl=2 l= 104 cons: SEQUENCE
+ 868:d=7 hl=2 l= 8 prim: OBJECT :Authority Information Access
+ 878:d=7 hl=2 l= 92 prim: OCTET STRING [HEX DUMP]:305A302B06082B06010505073001861F687474703A2F2F6F6373702D312E6578616D706C652E636F6D3A3132333435302B06082B06010505073001861F687474703A2F2F6F6373702D322E6578616D706C652E636F6D3A3132333435
+ 972:d=6 hl=2 l= 93 cons: SEQUENCE
+ 974:d=7 hl=2 l= 3 prim: OBJECT :X509v3 CRL Distribution Points
+ 979:d=7 hl=2 l= 86 prim: OCTET STRING [HEX DUMP]:30543028A026A0248622687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F6765743028A026A0248622687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F676574
+ 1067:d=6 hl=2 l= 48 cons: SEQUENCE
+ 1069:d=7 hl=2 l= 9 prim: OBJECT :Netscape Comment
+ 1080:d=7 hl=2 l= 35 prim: OCTET STRING [HEX DUMP]:1621636572746D6F6E6765722067656E65726174656420746869732072657175657374
+ 1117:d=1 hl=2 l= 13 cons: SEQUENCE
+ 1119:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
+ 1130:d=2 hl=2 l= 0 prim: NULL
+ 1132:d=1 hl=4 l= 257 prim: BIT STRING
Test complete (32 combinations).
diff --git a/tests/003-csrgen/expected.out b/tests/003-csrgen/expected.out
index 46e010cf..1081a678 100644
--- a/tests/003-csrgen/expected.out
+++ b/tests/003-csrgen/expected.out
@@ -11,8 +11,8 @@ Signature OK
minicert.openssl.4096.pem: OK
4096 OK.
The last CSR (the one with everything) was:
- 0:d=0 hl=4 l=1635 cons: SEQUENCE
- 4:d=1 hl=4 l=1355 cons: SEQUENCE
+ 0:d=0 hl=4 l=1599 cons: SEQUENCE
+ 4:d=1 hl=4 l=1319 cons: SEQUENCE
8:d=2 hl=2 l= 1 prim: INTEGER :00
11:d=2 hl=2 l= 22 cons: SEQUENCE
13:d=3 hl=2 l= 20 cons: SET
@@ -24,7 +24,7 @@ The last CSR (the one with everything) was:
41:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption
52:d=4 hl=2 l= 0 prim: NULL
54:d=3 hl=4 l= 271 prim: BIT STRING
- 329:d=2 hl=4 l=1030 cons: cont [ 0 ]
+ 329:d=2 hl=4 l= 994 cons: cont [ 0 ]
333:d=3 hl=2 l= 52 cons: SEQUENCE
335:d=4 hl=2 l= 9 prim: OBJECT :challengePassword
346:d=4 hl=2 l= 39 cons: SET
@@ -33,64 +33,52 @@ The last CSR (the one with everything) was:
389:d=4 hl=2 l= 9 prim: OBJECT :friendlyName
400:d=4 hl=2 l= 48 cons: SET
402:d=5 hl=2 l= 46 prim: BMPSTRING
- 450:d=3 hl=4 l= 909 cons: SEQUENCE
+ 450:d=3 hl=4 l= 873 cons: SEQUENCE
454:d=4 hl=2 l= 9 prim: OBJECT :Extension Request
- 465:d=4 hl=4 l= 894 cons: SET
- 469:d=5 hl=4 l= 890 cons: SEQUENCE
- 473:d=6 hl=2 l= 14 cons: SEQUENCE
+ 465:d=4 hl=4 l= 858 cons: SET
+ 469:d=5 hl=4 l= 854 cons: SEQUENCE
+ 473:d=6 hl=2 l= 11 cons: SEQUENCE
475:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage
- 480:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 483:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205E0
- 489:d=6 hl=4 l= 290 cons: SEQUENCE
- 493:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Alternative Name
- 498:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 501:d=7 hl=4 l= 278 prim: OCTET STRING [HEX DUMP]:3082011282096C6F63616C686F737482156C6F63616C686F73742E6C6F63616C646F6D61696E810E726F6F74406C6F63616C686F7374811A726F6F74406C6F63616C686F73742E6C6F63616C646F6D61696EA020060A2B060104018237140203A0120C10726F6F74404558414D504C452E434F4DA02E06062B0601050202A0243022A00D1B0B4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74A024060A2B060104018237140203A0160C14726F6F7440464F4F2E4558414D504C452E434F4DA03206062B0601050202A0283026A0111B0F464F4F2E4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F7487047F000001871000000000000000000000000000000001
- 783:d=6 hl=2 l= 32 cons: SEQUENCE
- 785:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Extended Key Usage
- 790:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 793:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:301406082B0601050507030206082B06010505070304
- 817:d=6 hl=2 l= 18 cons: SEQUENCE
- 819:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints
- 824:d=7 hl=2 l= 1 prim: BOOLEAN :255
- 827:d=7 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:30060101FF020103
- 837:d=6 hl=2 l= 34 cons: SEQUENCE
- 839:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier
- 844:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 847:d=7 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:30168014A9993E364706816ABA3E25717850C26C9CD0D89D
- 873:d=6 hl=2 l= 32 cons: SEQUENCE
- 875:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier
- 880:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 883:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:0414A9993E364706816ABA3E25717850C26C9CD0D89D
- 907:d=6 hl=2 l= 107 cons: SEQUENCE
- 909:d=7 hl=2 l= 8 prim: OBJECT :Authority Information Access
- 919:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 922:d=7 hl=2 l= 92 prim: OCTET STRING [HEX DUMP]:305A302B06082B06010505073001861F687474703A2F2F6F6373702D312E6578616D706C652E636F6D3A3132333435302B06082B06010505073001861F687474703A2F2F6F6373702D322E6578616D706C652E636F6D3A3132333435
- 1016:d=6 hl=2 l= 96 cons: SEQUENCE
- 1018:d=7 hl=2 l= 3 prim: OBJECT :X509v3 CRL Distribution Points
- 1023:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 1026:d=7 hl=2 l= 86 prim: OCTET STRING [HEX DUMP]:30543028A026A0248622687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F6765743028A026A0248622687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F676574
- 1114:d=6 hl=2 l= 106 cons: SEQUENCE
- 1116:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Freshest CRL
- 1121:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 1124:d=7 hl=2 l= 96 prim: OCTET STRING [HEX DUMP]:305E302DA02BA0298627687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F67657464656C7461302DA02BA0298627687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F67657464656C7461
- 1222:d=6 hl=2 l= 51 cons: SEQUENCE
- 1224:d=7 hl=2 l= 9 prim: OBJECT :Netscape Comment
- 1235:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 1238:d=7 hl=2 l= 35 prim: OCTET STRING [HEX DUMP]:1621636572746D6F6E6765722067656E65726174656420746869732072657175657374
- 1275:d=6 hl=2 l= 18 cons: SEQUENCE
- 1277:d=7 hl=2 l= 9 prim: OBJECT :OCSP No Check
- 1288:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 1291:d=7 hl=2 l= 2 prim: OCTET STRING [HEX DUMP]:0500
- 1295:d=6 hl=2 l= 44 cons: SEQUENCE
- 1297:d=7 hl=2 l= 9 prim: OBJECT :1.3.6.1.4.1.311.20.2
- 1308:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 1311:d=7 hl=2 l= 28 prim: OCTET STRING [HEX DUMP]:1E1A006300610041007700650073006F006D00650043006500720074
- 1341:d=6 hl=2 l= 20 cons: SEQUENCE
- 1343:d=7 hl=2 l= 9 prim: OBJECT :Netscape Cert Type
- 1354:d=7 hl=2 l= 1 prim: BOOLEAN :0
- 1357:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205A0
- 1363:d=1 hl=2 l= 13 cons: SEQUENCE
- 1365:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
- 1376:d=2 hl=2 l= 0 prim: NULL
- 1378:d=1 hl=4 l= 257 prim: BIT STRING
+ 480:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205E0
+ 486:d=6 hl=4 l= 287 cons: SEQUENCE
+ 490:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Alternative Name
+ 495:d=7 hl=4 l= 278 prim: OCTET STRING [HEX DUMP]:3082011282096C6F63616C686F737482156C6F63616C686F73742E6C6F63616C646F6D61696E810E726F6F74406C6F63616C686F7374811A726F6F74406C6F63616C686F73742E6C6F63616C646F6D61696EA020060A2B060104018237140203A0120C10726F6F74404558414D504C452E434F4DA02E06062B0601050202A0243022A00D1B0B4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F74A024060A2B060104018237140203A0160C14726F6F7440464F4F2E4558414D504C452E434F4DA03206062B0601050202A0283026A0111B0F464F4F2E4558414D504C452E434F4DA111300FA003020101A10830061B04726F6F7487047F000001871000000000000000000000000000000001
+ 777:d=6 hl=2 l= 29 cons: SEQUENCE
+ 779:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Extended Key Usage
+ 784:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:301406082B0601050507030206082B06010505070304
+ 808:d=6 hl=2 l= 18 cons: SEQUENCE
+ 810:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints
+ 815:d=7 hl=2 l= 1 prim: BOOLEAN :255
+ 818:d=7 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:30060101FF020103
+ 828:d=6 hl=2 l= 31 cons: SEQUENCE
+ 830:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier
+ 835:d=7 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:30168014A9993E364706816ABA3E25717850C26C9CD0D89D
+ 861:d=6 hl=2 l= 29 cons: SEQUENCE
+ 863:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier
+ 868:d=7 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:0414A9993E364706816ABA3E25717850C26C9CD0D89D
+ 892:d=6 hl=2 l= 104 cons: SEQUENCE
+ 894:d=7 hl=2 l= 8 prim: OBJECT :Authority Information Access
+ 904:d=7 hl=2 l= 92 prim: OCTET STRING [HEX DUMP]:305A302B06082B06010505073001861F687474703A2F2F6F6373702D312E6578616D706C652E636F6D3A3132333435302B06082B06010505073001861F687474703A2F2F6F6373702D322E6578616D706C652E636F6D3A3132333435
+ 998:d=6 hl=2 l= 93 cons: SEQUENCE
+ 1000:d=7 hl=2 l= 3 prim: OBJECT :X509v3 CRL Distribution Points
+ 1005:d=7 hl=2 l= 86 prim: OCTET STRING [HEX DUMP]:30543028A026A0248622687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F6765743028A026A0248622687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F676574
+ 1093:d=6 hl=2 l= 103 cons: SEQUENCE
+ 1095:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Freshest CRL
+ 1100:d=7 hl=2 l= 96 prim: OCTET STRING [HEX DUMP]:305E302DA02BA0298627687474703A2F2F63726C2D312E6578616D706C652E636F6D3A31323334352F67657464656C7461302DA02BA0298627687474703A2F2F63726C2D322E6578616D706C652E636F6D3A31323334352F67657464656C7461
+ 1198:d=6 hl=2 l= 48 cons: SEQUENCE
+ 1200:d=7 hl=2 l= 9 prim: OBJECT :Netscape Comment
+ 1211:d=7 hl=2 l= 35 prim: OCTET STRING [HEX DUMP]:1621636572746D6F6E6765722067656E65726174656420746869732072657175657374
+ 1248:d=6 hl=2 l= 15 cons: SEQUENCE
+ 1250:d=7 hl=2 l= 9 prim: OBJECT :OCSP No Check
+ 1261:d=7 hl=2 l= 2 prim: OCTET STRING [HEX DUMP]:0500
+ 1265:d=6 hl=2 l= 41 cons: SEQUENCE
+ 1267:d=7 hl=2 l= 9 prim: OBJECT :1.3.6.1.4.1.311.20.2
+ 1278:d=7 hl=2 l= 28 prim: OCTET STRING [HEX DUMP]:1E1A006300610041007700650073006F006D00650043006500720074
+ 1308:d=6 hl=2 l= 17 cons: SEQUENCE
+ 1310:d=7 hl=2 l= 9 prim: OBJECT :Netscape Cert Type
+ 1321:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205A0
+ 1327:d=1 hl=2 l= 13 cons: SEQUENCE
+ 1329:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
+ 1340:d=2 hl=2 l= 0 prim: NULL
+ 1342:d=1 hl=4 l= 257 prim: BIT STRING
Test complete (69 combinations).
--
2.31.1

80
SOURCES/0009-Use-extensions-template-from-NSS.patch
View File

@ -1,80 +0,0 @@
From 9312d1892c611d9f0e814cb915488182da2b76cc Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Mon, 4 Oct 2021 15:55:44 +0200
Subject: [PATCH] Use extensions template from NSS
Drop certmonger's custom extension template and use the sequence of X509v3
extensions template from NSS.
The certmonger template had a bug that caused certmonger to create CSRs
with invalid DER. It was encoding extension's critical element even for
default value FALSE.
Fixes: https://pagure.io/certmonger/issue/223
Signed-off-by: Christian Heimes <cheimes@redhat.com>
---
src/certext.c | 41 +----------------------------------------
1 file changed, 1 insertion(+), 40 deletions(-)
diff --git a/src/certext.c b/src/certext.c
index be536987..0d66971e 100644
--- a/src/certext.c
+++ b/src/certext.c
@@ -203,45 +203,6 @@ cm_ms_template_template[] = {
{0, 0, NULL, 0},
};
-/* RFC 5280, 4.1 */
-const SEC_ASN1Template
-cm_certext_cert_extension_template[] = {
- {
- .kind = SEC_ASN1_SEQUENCE,
- .offset = 0,
- .sub = NULL,
- .size = sizeof(CERTCertExtension),
- },
- {
- .kind = SEC_ASN1_OBJECT_ID,
- .offset = offsetof(CERTCertExtension, id),
- .sub = NULL,
- .size = sizeof(SECItem),
- },
- {
- .kind = SEC_ASN1_BOOLEAN,
- .offset = offsetof(CERTCertExtension, critical),
- .sub = NULL,
- .size = sizeof(SECItem),
- },
- {
- .kind = SEC_ASN1_OCTET_STRING,
- .offset = offsetof(CERTCertExtension, value),
- .sub = NULL,
- .size = sizeof(SECItem),
- },
- {0, 0, NULL, 0},
-};
-const SEC_ASN1Template
-cm_certext_sequence_of_cert_extension_template[] = {
- {
- .kind = SEC_ASN1_SEQUENCE_OF,
- .offset = 0,
- .sub = cm_certext_cert_extension_template,
- .size = sizeof(CERTCertExtension **),
- },
-};
-
/* Windows 2000-style UPN */
static unsigned char oid_ms_upn_name_bytes[] = {0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14, 0x02, 0x03};
static const SECOidData oid_ms_upn_name = {
@@ -1960,7 +1921,7 @@ cm_certext_build_csr_extensions(struct cm_store_entry *entry,
/* Encode the sequence. */
memset(&encoded, 0, sizeof(encoded));
if (i > 1) {
- template = cm_certext_sequence_of_cert_extension_template;
+ template = CERT_SequenceOfCertExtensionTemplate;
if (SEC_ASN1EncodeItem(arena, &encoded, &exts_ptr,
template) == &encoded) {
*extensions = talloc_memdup(entry, encoded.data,
--
2.31.1

702
SOURCES/0010-Add-a-PEM-validity-checker-and-validate-SCEP-CA-file.patch
View File

@ -1,702 +0,0 @@
From f636d0f64fbcb978b06afe9f9576678afcee01c0 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 4 Nov 2021 13:51:31 -0400
Subject: [PATCH] Add a PEM validity checker and validate SCEP CA files
If a non-PEM file was passed into add-scep-ca it would
accept it without question but later fail with:
status: CA_UNREACHABLE
ca-error: Error: failed to verify signature on server response.
Try to do basic validation of user-provided PEM files by:
- stripping BEGIN/END headers
- removing newlines and carriage returns
- using OpenSSL EVP library to base64 decode the block
This isn't fool-proof but it at least does some basic
sanity checking to ensure the file(s) exist and appear
to be PEM files.
The unit tests use some Let's Encrypt CA certificates.
https://bugzilla.redhat.com/show_bug.cgi?id=1492112
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
---
src/Makefile.am | 2 +-
src/getcert-add-scep-ca.1.in | 2 +
src/getcert.c | 39 ++++-
src/util-o.c | 144 ++++++++++++++++++
src/util-o.h | 7 +
tests/040-pem/bad.empty | 0
.../bad.isrg-root-x1-cross-signed.der.b64 | 25 +++
tests/040-pem/expected.out | 7 +
.../good.isrg-root-x1-cross-signed.pem | 31 ++++
.../good.isrg-root-x1-cross-signed_cr.pem | 31 ++++
tests/040-pem/good.lets_encrypt_chain.pem | 93 +++++++++++
tests/040-pem/run.sh | 21 +++
tests/Makefile.am | 8 +-
tests/tools/Makefile.am | 3 +-
tests/tools/pem.c | 69 +++++++++
15 files changed, 474 insertions(+), 8 deletions(-)
create mode 100644 tests/040-pem/bad.empty
create mode 100644 tests/040-pem/bad.isrg-root-x1-cross-signed.der.b64
create mode 100644 tests/040-pem/expected.out
create mode 100644 tests/040-pem/good.isrg-root-x1-cross-signed.pem
create mode 100644 tests/040-pem/good.isrg-root-x1-cross-signed_cr.pem
create mode 100644 tests/040-pem/good.lets_encrypt_chain.pem
create mode 100755 tests/040-pem/run.sh
create mode 100644 tests/tools/pem.c
diff --git a/src/Makefile.am b/src/Makefile.am
index 53571c5..d8e0a2e 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -155,7 +155,7 @@ pkglibexecdir = $(libexecdir)/$(PACKAGE)
getcert_CFLAGS = $(AM_CFLAGS) $(NSS_CFLAGS) $(UUID_CFLAGS)
getcert_SOURCES = getcert.c tm.c tm.h
getcert_LDADD = libcm.a $(GETCERT_LIBS) $(KRB5_LIBS) $(NSS_LIBS) $(UUID_LIBS) \
- $(POPT_LIBS) $(LTLIBICONV) $(LDAP_LIBS)
+ $(POPT_LIBS) $(LTLIBICONV) $(LDAP_LIBS) $(OPENSSL_LIBS)
if WITH_IPA
bin_PROGRAMS += ipa-getcert
ipa_getcert_CFLAGS = $(getcert_CFLAGS)
diff --git a/src/getcert-add-scep-ca.1.in b/src/getcert-add-scep-ca.1.in
index c2751ed..901791e 100644
--- a/src/getcert-add-scep-ca.1.in
+++ b/src/getcert-add-scep-ca.1.in
@@ -14,6 +14,8 @@ helper. The \fIadd\-scep\-ca\fR command is more or less a wrapper for the
.SH OPTIONS
.TP
+All user\-provided certificate files must be in PEM format.
+.TP
\fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR
The nickname to give to this CA configuration. This same value can later be
passed in to \fIgetcert\fR's \fIrequest\fR, \fIresubmit\fR, and
diff --git a/src/getcert.c b/src/getcert.c
index 4afafcb..ddcb739 100644
--- a/src/getcert.c
+++ b/src/getcert.c
@@ -49,6 +49,7 @@
#include "submit-u.h"
#include "tdbus.h"
#include "tdbusm.h"
+#include "util-o.h"
#ifdef ENABLE_NLS
#include <libintl.h>
@@ -4544,15 +4545,16 @@ add_scep_ca(const char *argv0, int argc, const char **argv)
int c, prefer_non_renewal = 0, verbose = 0;
dbus_bool_t b;
static DBusMessage *req, *rep;
+ const char *poptarg;
poptContext pctx;
struct poptOption popts[] = {
{"ca", 'c', POPT_ARG_STRING, &caname, 0, _("nickname to give to the new CA configuration"), HELP_TYPE_NAME},
{"url", 'u', POPT_ARG_STRING, &url, 0, _("location of SCEP server"), HELP_TYPE_URL},
{"id", 'i', POPT_ARG_STRING, &id, 0, _("CA identifier"), HELP_TYPE_ID},
- {"ca-cert", 'R', POPT_ARG_STRING, &root, 0, _("file containing CA's certificate"), HELP_TYPE_FILENAME},
- {"ra-cert", 'r', POPT_ARG_STRING, &racert, 0, _("file containing RA's certificate"), HELP_TYPE_FILENAME},
- {"other-certs", 'I', POPT_ARG_STRING, &certs, 0, _("file containing certificates in RA's certifying chain"), HELP_TYPE_FILENAME},
- {"signingca", 'N', POPT_ARG_STRING, &signingca, 0, _("the CA certificate which signed the RA certificate"), HELP_TYPE_FILENAME},
+ {"ca-cert", 'R', POPT_ARG_STRING, NULL, 'R', _("file containing CA's certificate"), HELP_TYPE_FILENAME},
+ {"ra-cert", 'r', POPT_ARG_STRING, NULL, 'r', _("file containing RA's certificate"), HELP_TYPE_FILENAME},
+ {"other-certs", 'I', POPT_ARG_STRING, NULL, 'I', _("file containing certificates in RA's certifying chain"), HELP_TYPE_FILENAME},
+ {"signingca", 'N', POPT_ARG_STRING, NULL, 'N', _("the CA certificate which signed the RA certificate"), HELP_TYPE_FILENAME},
{"non-renewal", 'n', POPT_ARG_NONE, &prefer_non_renewal, 0, _("prefer to not use the SCEP Renewal feature"), NULL},
{"session", 's', POPT_ARG_NONE, NULL, 's', _("connect to the certmonger service on the session bus"), NULL},
{"system", 'S', POPT_ARG_NONE, NULL, 'S', _("connect to the certmonger service on the system bus"), NULL},
@@ -4572,6 +4574,7 @@ add_scep_ca(const char *argv0, int argc, const char **argv)
return 1;
}
while ((c = poptGetNextOpt(pctx)) > 0) {
+ poptarg = poptGetOptArg(pctx);
switch (c) {
case 's':
bus = cm_tdbus_session;
@@ -4586,6 +4589,34 @@ add_scep_ca(const char *argv0, int argc, const char **argv)
poptPrintHelp(pctx, stdout, 0);
return 1;
break;
+ case 'R':
+ if (validate_pem(globals.tctx, poptarg) != 0) {
+ printf("The root certificate(s) in %s is not valid PEM\n", poptarg);
+ return 1;
+ }
+ root = talloc_strdup(globals.tctx, poptarg);
+ break;
+ case 'r':
+ if (validate_pem(globals.tctx, poptarg) != 0) {
+ printf("The RA certificate(s) in %s is not valid PEM\n", poptarg);
+ return 1;
+ }
+ racert = talloc_strdup(globals.tctx, poptarg);
+ break;
+ case 'I':
+ if (validate_pem(globals.tctx, poptarg) != 0) {
+ printf("The certificate(s) in %s is not valid PEM\n", poptarg);
+ return 1;
+ }
+ certs = talloc_strdup(globals.tctx, poptarg);
+ break;
+ case 'N':
+ if (validate_pem(globals.tctx, poptarg) != 0) {
+ printf("The certificate(s) in %s is not valid PEM\n", poptarg);
+ return 1;
+ }
+ signingca = talloc_strdup(globals.tctx, poptarg);
+ break;
}
}
if (c != -1) {
diff --git a/src/util-o.c b/src/util-o.c
index db45964..c05872c 100644
--- a/src/util-o.c
+++ b/src/util-o.c
@@ -598,3 +598,147 @@ util_private_EVP_PKEY_dup(EVP_PKEY *pkey)
{
return util_EVP_PKEY_dup(pkey, i2d_PrivateKey, d2i_PrivateKey);
}
+
+static unsigned char *
+decode_base64(const unsigned char *input, int length, int *outlength) {
+ int expected_len;
+ unsigned char *output;
+ int output_len;
+
+ expected_len = 3 * length / 4;
+ output = calloc(expected_len + 1, 1);
+ output_len = EVP_DecodeBlock(output, input, length);
+
+ if (output_len < 0) {
+ *outlength = -1;
+ free(output);
+ return NULL;
+ }
+ if (output_len % 3 != 0) {
+ *outlength = -1;
+ free(output);
+ return NULL;
+ }
+ if (expected_len != output_len) {
+ *outlength = -1;
+ free(output);
+ return NULL;
+ }
+ *outlength = output_len;
+ return output;
+}
+
+int
+validate_pem(void *parent, const char *path)
+{
+ char *p;
+ char *s = NULL, *sp, *sq;
+ int ret = 0;
+ FILE *fp;
+ struct stat st;
+ char *tmp1 = NULL;
+ unsigned char *tmp2 = NULL;
+ char *buffer;
+ int n, i, length;
+ int found = 0;
+
+ fp = fopen(path, "r");
+ if (fp == NULL) {
+ printf("Unable to open %s for reading: %s\n",
+ path, strerror(errno));
+ return -1;
+ }
+ if (fstat(fileno(fp), &st) == -1) {
+ printf("Error opening %s for reading: %s\n",
+ path, strerror(errno));
+ fclose(fp);
+ return -1;
+ }
+ if (st.st_size == 0) {
+ printf("%s is an empty file.\n", path);
+ fclose(fp);
+ return -1;
+ }
+
+ buffer = malloc(st.st_size + 1);
+ if (buffer == NULL) {
+ printf("Error allocating memory.\n");
+ fclose(fp);
+ return -1;
+ }
+
+ n = 0;
+ while (n < st.st_size) {
+ i = fread(buffer + n, 1, st.st_size - n, fp);
+ if (i <= 0) {
+ printf("Error reading %s: %s.\n",
+ path, strerror(errno));
+ fclose(fp);
+ ret = -1;
+ goto done;
+ }
+ n += i;
+ }
+ fclose(fp);
+ buffer[st.st_size] = '\0';
+ length = st.st_size;
+ s = malloc(length + 1);
+ if (s == NULL) {
+ printf("Error allocating memory.\n");
+ ret = -1;
+ goto done;
+ }
+ memcpy(s, buffer, length);
+ s[length] = '\0';
+ sp = s;
+ tmp1 = NULL;
+ tmp2 = NULL;
+ while ((sp = strstr(sp, "-----BEGIN")) != NULL) {
+ sq = strstr(sp, "-----END");
+ if (sq != NULL) {
+ found++;
+ sq += strcspn(sq, "\r\n");
+ sq += strspn(sq, "\r\n");
+
+ /* Strip down to pure base64 so no headers, new lines or cr */
+ tmp1 = strndup(sp, sq - sp);
+ p = strstr(tmp1, "-----BEGIN");
+ if (p != NULL) {
+ p += strcspn(p, "\n");
+ if (*p == '\n') {
+ p++;
+ }
+ memmove(tmp1, p, strlen(p) + 1);
+ }
+ p = strstr(tmp1, "\n-----END");
+ if (p != NULL) {
+ *p = '\0';
+ }
+ while ((p = strchr(tmp1, '\r')) != NULL) {
+ memmove(p, p + 1, strlen(p));
+ }
+ while ((p = strchr(tmp1, '\n')) != NULL) {
+ memmove(p, p + 1, strlen(p));
+ }
+ length = 0;
+ tmp2 = decode_base64((unsigned char *)tmp1, strlen(tmp1), &length);
+ if (length < 0) {
+ ret = -1;
+ goto done;
+ }
+ sp = sq;
+ }
+ }
+
+ if (found == 0) {
+ ret = -1;
+ }
+
+done:
+ free(buffer);
+ free(s);
+ free(tmp1);
+ free(tmp2);
+
+ return ret;
+}
diff --git a/src/util-o.h b/src/util-o.h
index 916777b..8550e07 100644
--- a/src/util-o.h
+++ b/src/util-o.h
@@ -16,6 +16,12 @@
*/
#ifndef utilo_h
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+
#define utilo_h
struct cm_store_entry;
@@ -71,5 +77,6 @@ int util_X509_set1_version(X509 *x, ASN1_INTEGER *version);
void util_NETSCAPE_SPKI_set_sig_alg(NETSCAPE_SPKI *spki, const X509_ALGOR *sig_alg);
EVP_PKEY *util_public_EVP_PKEY_dup(EVP_PKEY *pkey);
EVP_PKEY *util_private_EVP_PKEY_dup(EVP_PKEY *pkey);
+int validate_pem(void *parent, const char *path);
#endif
diff --git a/tests/040-pem/bad.empty b/tests/040-pem/bad.empty
new file mode 100644
index 0000000..e69de29
diff --git a/tests/040-pem/bad.isrg-root-x1-cross-signed.der.b64 b/tests/040-pem/bad.isrg-root-x1-cross-signed.der.b64
new file mode 100644
index 0000000..f9d7e5b
--- /dev/null
+++ b/tests/040-pem/bad.isrg-root-x1-cross-signed.der.b64
@@ -0,0 +1,25 @@
+MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/MSQwIgYDVQQK
+ExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMTDkRTVCBSb290IENBIFgzMB4X
+DTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1owTzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIElu
+dGVybmV0IFNlY3VyaXR5IFJlc2VhcmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIi
+MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B4
+93XCov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpLwYqGcWlK
+ZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+DLtFJV4yAdLbaL9A4jXsD
+cCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/
+iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeY
+jzYIlefiN5YNNnWe+w5ysR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHdu
+Rze6zqxZXmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4FQsD
+j43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBcSLeCO5imfWCKoqMp
+gsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2qlPRmP6zjzZN7IKw0KKP/32+IVQtQi
+0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TNDTwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB
+/zAOBgNVHQ8BAf8EBAMCAQYwSwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBw
+cy5pZGVudHJ1c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
++tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEBATAwMC4GCCsG
+AQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQub3JnMDwGA1UdHwQ1MDMwMaAv
+oC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9EU1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYE
+FHm0WeZ7tuXkAXOACIjIGlj26ZtuMA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oG
+rS+o44+/yQoDFVDC5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMr
+AdSW9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuGWCLKTVXk
+cGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9Ohe8Y4IWS6wY7bCkjCWDc
+RQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFCDfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr
+6GtPAQw4dy753ec5
diff --git a/tests/040-pem/expected.out b/tests/040-pem/expected.out
new file mode 100644
index 0000000..0459fd2
--- /dev/null
+++ b/tests/040-pem/expected.out
@@ -0,0 +1,7 @@
+OK
+OK
+OK
+got expected error with bad.empty
+got expected error with bad.isrg-root-x1-cross-signed.der
+got expected error with bad.notfound
+OK
diff --git a/tests/040-pem/good.isrg-root-x1-cross-signed.pem b/tests/040-pem/good.isrg-root-x1-cross-signed.pem
new file mode 100644
index 0000000..239794a
--- /dev/null
+++ b/tests/040-pem/good.isrg-root-x1-cross-signed.pem
@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
+MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
+DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
+AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
+ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
+wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
+LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
+4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
+bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
+sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
+Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
+FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
+SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
+PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
+TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
+SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
+c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
++tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
+ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
+b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
+U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
+MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
+5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
+9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
+WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
+he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
+Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
+-----END CERTIFICATE-----
diff --git a/tests/040-pem/good.isrg-root-x1-cross-signed_cr.pem b/tests/040-pem/good.isrg-root-x1-cross-signed_cr.pem
new file mode 100644
index 0000000..239794a
--- /dev/null
+++ b/tests/040-pem/good.isrg-root-x1-cross-signed_cr.pem
@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
+MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
+DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
+AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
+ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
+wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
+LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
+4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
+bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
+sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
+Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
+FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
+SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
+PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
+TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
+SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
+c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
++tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
+ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
+b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
+U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
+MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
+5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
+9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
+WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
+he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
+Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
+-----END CERTIFICATE-----
diff --git a/tests/040-pem/good.lets_encrypt_chain.pem b/tests/040-pem/good.lets_encrypt_chain.pem
new file mode 100644
index 0000000..29a16ff
--- /dev/null
+++ b/tests/040-pem/good.lets_encrypt_chain.pem
@@ -0,0 +1,93 @@
+-----BEGIN CERTIFICATE-----
+MIIFjTCCA3WgAwIBAgIRANOxciY0IzLc9AUoUSrsnGowDQYJKoZIhvcNAQELBQAw
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTYxMDA2MTU0MzU1
+WhcNMjExMDA2MTU0MzU1WjBKMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
+RW5jcnlwdDEjMCEGA1UEAxMaTGV0J3MgRW5jcnlwdCBBdXRob3JpdHkgWDMwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCc0wzwWuUuR7dyXTeDs2hjMOrX
+NSYZJeG9vjXxcJIvt7hLQQWrqZ41CFjssSrEaIcLo+N15Obzp2JxunmBYB/XkZqf
+89B4Z3HIaQ6Vkc/+5pnpYDxIzH7KTXcSJJ1HG1rrueweNwAcnKx7pwXqzkrrvUHl
+Npi5y/1tPJZo3yMqQpAMhnRnyH+lmrhSYRQTP2XpgofL2/oOVvaGifOFP5eGr7Dc
+Gu9rDZUWfcQroGWymQQ2dYBrrErzG5BJeC+ilk8qICUpBMZ0wNAxzY8xOJUWuqgz
+uEPxsR/DMH+ieTETPS02+OP88jNquTkxxa/EjQ0dZBYzqvqEKbbUC8DYfcOTAgMB
+AAGjggFnMIIBYzAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADBU
+BgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEBATAwMC4GCCsGAQUFBwIB
+FiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQub3JnMB0GA1UdDgQWBBSo
+SmpjBH3duubRObemRWXv86jsoTAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3Js
+LnJvb3QteDEubGV0c2VuY3J5cHQub3JnMHIGCCsGAQUFBwEBBGYwZDAwBggrBgEF
+BQcwAYYkaHR0cDovL29jc3Aucm9vdC14MS5sZXRzZW5jcnlwdC5vcmcvMDAGCCsG
+AQUFBzAChiRodHRwOi8vY2VydC5yb290LXgxLmxldHNlbmNyeXB0Lm9yZy8wHwYD
+VR0jBBgwFoAUebRZ5nu25eQBc4AIiMgaWPbpm24wDQYJKoZIhvcNAQELBQADggIB
+ABnPdSA0LTqmRf/Q1eaM2jLonG4bQdEnqOJQ8nCqxOeTRrToEKtwT++36gTSlBGx
+A/5dut82jJQ2jxN8RI8L9QFXrWi4xXnA2EqA10yjHiR6H9cj6MFiOnb5In1eWsRM
+UM2v3e9tNsCAgBukPHAg1lQh07rvFKm/Bz9BCjaxorALINUfZ9DD64j2igLIxle2
+DPxW8dI/F2loHMjXZjqG8RkqZUdoxtID5+90FgsGIfkMpqgRS05f4zPbCEHqCXl1
+eO5HyELTgcVlLXXQDgAWnRzut1hFJeczY1tjQQno6f6s+nMydLN26WuU4s3UYvOu
+OsUxRlJu7TSRHqDC3lSE5XggVkzdaPkuKGQbGpny+01/47hfXXNB7HntWNZ6N2Vw
+p7G6OfY+YQrZwIaQmhrIqJZuigsrbe3W+gdn5ykE9+Ky0VgVUsfxo52mwFYs1JKY
+2PGDuWx8M6DlS6qQkvHaRUo0FMd8TsSlbF0/v965qGFKhSDeQoMpYnwcmQilRh/0
+ayLThlHLN81gSkJjVrPI0Y8xCVPB4twb1PFUd2fPM3sA1tJ83sZ5v8vgFv2yofKR
+PB0t6JzUA81mSqM3kxl5e+IZwhYAyO0OTg3/fs8HqGTNKd9BqoUwSRBzp06JMg5b
+rUCGwbCUDI0mxadJ3Bz4WxR6fyNpBK2yAinWEsikxqEt
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
+WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
+RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
+R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
+sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
+NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
+Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
+/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
+AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
+FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
+AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
+Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
+gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
+PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
+ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
+CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
+lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
+avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
+yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
+yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
+hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
+HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
+MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
+nLRbwHOoq7hHwg==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
+MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
+DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
+AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
+ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
+wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
+LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
+4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
+bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
+sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
+Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
+FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
+SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
+PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
+TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
+SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
+c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
++tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
+ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
+b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
+U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
+MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
+5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
+9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
+WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
+he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
+Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
+-----END CERTIFICATE-----
diff --git a/tests/040-pem/run.sh b/tests/040-pem/run.sh
new file mode 100755
index 0000000..1d4d1f4
--- /dev/null
+++ b/tests/040-pem/run.sh
@@ -0,0 +1,21 @@
+#!/bin/bash -e
+
+cd "$tmpdir"
+cp -p "$srcdir"/040-pem/bad.* $tmpdir
+base64 -d < "$tmpdir"/bad.isrg-root-x1-cross-signed.der.b64 > "$tmpdir"/bad.isrg-root-x1-cross-signed.der
+rm -f "$tmpdir"/bad.isrg-root-x1-cross-signed.der.b64
+
+for good in "$srcdir"/040-pem/good.* ; do
+ if ! "$toolsdir"/pem "$good" ; then
+ exit 1
+ fi
+done
+for bad in "$tmpdir"/bad.* bad.notfound; do
+ if "$toolsdir"/pem "$bad" > /dev/null; then
+ echo unexpected success with `basename "$bad"`
+ exit 1
+ else
+ echo got expected error with `basename "$bad"`
+ fi
+done
+echo OK
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 013d34b..e20b6d8 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -132,6 +132,8 @@ CLEANFILES = \
038-ms-v2-template/actual.err \
039-fromfile/actual.out \
039-fromfile/actual.err
+ 040-pem/actual.out \
+ 040-pem/actual.err
EXTRA_DIST = \
run-tests.sh functions certmonger.conf tools/cachain.sh \
001-keyiread/run.sh \
@@ -353,7 +355,8 @@ EXTRA_DIST = \
038-ms-v2-template/expected.out \
038-ms-v2-template/extract-extdata.py \
038-ms-v2-template/run.sh \
- 039-fromfile/run.sh
+ 039-fromfile/run.sh \
+ 040-pem/run.sh
subdirs = \
001-keyiread \
@@ -388,7 +391,8 @@ subdirs = \
036-getcert \
037-rekey2 \
038-ms-v2-template \
- 039-fromfile
+ 039-fromfile \
+ 040-pem
if HAVE_DBM_NSSDB
subdirs += \
diff --git a/tests/tools/Makefile.am b/tests/tools/Makefile.am
index 53f658e..1a01ee6 100644
--- a/tests/tools/Makefile.am
+++ b/tests/tools/Makefile.am
@@ -16,7 +16,8 @@ endif
noinst_PROGRAMS = keyiread keygen csrgen submit certread certsave oid2name \
name2oid iterate prefs dates listnicks pem2base base2pem \
dparse payload checksig base64 cadata citerate casave hooks \
- libexecdir canon srv addcinfo ls json json-utf8 printenv fromfile
+ libexecdir canon srv addcinfo ls json json-utf8 printenv fromfile \
+ pem
noinst_LIBRARIES = libtools.a
if HAVE_OPENSSL
noinst_PROGRAMS += pk7parse pk7env scepgen pk7verify pk7decrypt
diff --git a/tests/tools/pem.c b/tests/tools/pem.c
new file mode 100644
index 0000000..4fdd4f4
--- /dev/null
+++ b/tests/tools/pem.c
@@ -0,0 +1,69 @@
+/*
+ * Copyright (C) 2021 Red Hat, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "../../src/config.h"
+
+#include <sys/types.h>
+#include <errno.h>
+#include <fcntl.h>
+#ifdef HAVE_INTTYPES_H
+#include <inttypes.h>
+#endif
+#include <stdio.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <popt.h>
+
+#include <talloc.h>
+
+#include "../../src/util-o.h"
+
+int
+main(int argc, const char **argv)
+{
+ const char *filename;
+ void *parent;
+ int i, ret = 0;
+ poptContext pctx;
+ struct poptOption popts[] = {
+ POPT_AUTOHELP
+ POPT_TABLEEND
+ };
+
+ parent = talloc_new(NULL);
+ pctx = poptGetContext("pem", argc, argv, popts, 0);
+ while ((i = poptGetNextOpt(pctx)) > 0) {
+ continue;
+ }
+ if (i != -1) {
+ poptPrintUsage(pctx, stdout, 0);
+ return 1;
+ }
+ while ((filename = poptGetArg(pctx)) != NULL) {
+ if (validate_pem(parent, (char *)filename) == 0) {
+ printf("OK\n");
+ } else {
+ ret = 1;
+ }
+ }
+ talloc_free(parent);
+ poptFreeContext(pctx);
+ return ret;
+}
--
2.31.1

31
SOURCES/0011-Fix-implicit-declaration-of-function-PEM_read_bio_X5.patch
View File

@ -1,31 +0,0 @@
From 657c9ab79a00a2003f7c02c535418896cacc410a Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 15 Nov 2021 09:58:40 -0500
Subject: [PATCH] =?UTF-8?q?Fix=20implicit=20declaration=20of=20function=20?=
=?UTF-8?q?=E2=80=98PEM=5Fread=5Fbio=5FX509=E2=80=99?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Add an include for openssl/pem.h
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
---
src/submit-n.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/submit-n.c b/src/submit-n.c
index 3dcb820a..4f763a16 100644
--- a/src/submit-n.c
+++ b/src/submit-n.c
@@ -33,6 +33,7 @@
#include <openssl/pkcs7.h>
#include <openssl/stack.h>
#include <openssl/x509.h>
+#include <openssl/pem.h>
#include <cert.h>
#include <certdb.h>
--
2.31.1

46
SOURCES/0012-Remove-dependency-on-SHA-1.patch
View File

@ -1,46 +0,0 @@
From 2ef0a885962ecf558a8080b19652a5bd0c11c228 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 17 Mar 2022 15:44:00 -0400
Subject: [PATCH] Remove dependency on SHA-1
---
tests/033-scep/run.sh | 4 ++--
tests/tools/cachain.sh | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/tests/033-scep/run.sh b/tests/033-scep/run.sh
index a36cd5a..baaa581 100755
--- a/tests/033-scep/run.sh
+++ b/tests/033-scep/run.sh
@@ -148,7 +148,7 @@ check_nonce
check_digest sha256
echo OK
echo "[gic, old trust root]"
-set_digest sha1
+set_digest sha256
$toolsdir/scepgen ca entry > scepdata
if test x`grep ^gic: scepdata | cut -f2- -d:` = x ; then
echo missing gic
@@ -158,7 +158,7 @@ check_verified
check_msgtype $SCEP_MSGTYPE_GETCERTINITIAL
check_txid
check_nonce
-check_digest sha1
+check_digest sha256
echo OK
echo "[req next, no trust root]"
if test x`grep ^req.next.: scepdata | cut -f2- -d:` = x ; then
diff --git a/tests/tools/cachain.sh b/tests/tools/cachain.sh
index 58f0c49..93aca9b 100755
--- a/tests/tools/cachain.sh
+++ b/tests/tools/cachain.sh
@@ -1,5 +1,5 @@
#!/bin/bash -e
-digest=sha1
+digest=sha256
keytype=rsa:1024
serial=12345678
cat > openssl.cnf << EOF
--
2.31.1

267
SOURCES/0013-Disable-DSA-in-the-RPM-spec.patch
View File

@ -1,267 +0,0 @@
From bdf93378eca9d28d5b49c8170c849d2c2e6f1991 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 7 Apr 2022 16:30:40 -0400
Subject: [PATCH] Disable DSA in the RPM spec
DSA has been disabled in default crypto policy since Fedora 30
and will cause crashes if used in FIPS mode.
Refresh the 028-dbus no-DSA expected output. It was out-of-sync
from previous changes.
https://bugzilla.redhat.com/show_bug.cgi?id=2066439
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
---
certmonger.spec | 6 +-
tests/028-dbus/expected.out.nodsa | 135 +++---------------------------
2 files changed, 15 insertions(+), 126 deletions(-)
diff --git a/certmonger.spec b/certmonger.spec
index 6715d83..9c01438 100644
--- a/certmonger.spec
+++ b/certmonger.spec
@@ -28,7 +28,7 @@
Name: certmonger
Version: 0.79.14
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: Certificate status monitor and PKI enrollment client
Group: System Environment/Daemons
@@ -143,6 +143,7 @@ autoreconf -i -f
%if %{with xmlrpc}
--with-xmlrpc \
%endif
+ --disable-dsa \
--with-tmpdir=/run/certmonger --enable-pie --enable-now
%if %{with xmlrpc}
# For some reason, some versions of xmlrpc-c-config in Fedora and RHEL just
@@ -264,6 +265,9 @@ exit 0
%endif
%changelog
+* Mon Mar 28 2022 Rob Crittenden <rcritten@redhat.com> - 0.79.15-2
+- Disable DSA. It is not allowed by default crypto policy (#2066439)
+
* Tue Jun 14 2021 Rob Crittenden <rcritten@redhat.com> - 0.79.14-1
- update to 0.79.14
- Fix local CA to work under FIPS
diff --git a/tests/028-dbus/expected.out.nodsa b/tests/028-dbus/expected.out.nodsa
index 20499bf..0e1b977 100644
--- a/tests/028-dbus/expected.out.nodsa
+++ b/tests/028-dbus/expected.out.nodsa
@@ -11,12 +11,14 @@ Request ID 'Buddy':
CA: local
issuer: CN=$UUID,CN=Local Signing Authority
subject: CN=localhost
+ issued: sometime
expires: sometime
dns: localhost
principal name: host/localhost@LOCALHOST
key usage: digitalSignature,dataEncipherment
eku: id-kp-serverAuth
certificate template/profile: SomeProfileName
+ profile: SomeProfileName
pre-save command: echo Pre
post-save command: echo Post
track: yes
@@ -33,10 +35,6 @@ CA 'IPA':
is-default: no
ca-type: EXTERNAL
helper-location: $libexecdir/ipa-submit
-CA 'certmaster':
- is-default: no
- ca-type: EXTERNAL
- helper-location: $libexecdir/certmaster-submit
CA 'dogtag-ipa-renew-agent':
is-default: no
ca-type: EXTERNAL
@@ -44,8 +42,8 @@ CA 'dogtag-ipa-renew-agent':
[[ API ]]
[ simpleprop.py ]
-/org/fedorahosted/certmonger/cas/CA6
-/org/fedorahosted/certmonger/cas/CA6
+/org/fedorahosted/certmonger/cas/CA5
+/org/fedorahosted/certmonger/cas/CA5
: -> : -k admin@localhost -> :
0 -> 1 -> 0
[ walk.py ]
@@ -181,7 +179,7 @@ OK
OK
[ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_known_cas ]
-dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA1'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA2'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA3'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA4'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA5')], signature=dbus.Signature('o'))
+dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA1'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA2'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA3'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA4')], signature=dbus.Signature('o'))
[ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_requests ]
dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/requests/Request2')], signature=dbus.Signature('o'))
@@ -272,6 +270,7 @@ OK
<arg name="principal_names" type="as" direction="out"/>
<arg name="key_usage" type="x" direction="out"/>
<arg name="extended_key_usage" type="as" direction="out"/>
+ <arg name="not_before" type="x" direction="out"/>
</method>
<property name="issuer" type="s" access="read"/>
<property name="serial" type="s" access="read"/>
@@ -433,7 +432,7 @@ Buddy
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_cert_info ]
-(dbus.String('CN=$UUID,CN=Local Signing Authority'), dbus.String('$UUID'), dbus.String('CN=localhost'), dbus.Int64(tomorrow), dbus.Array([], signature=dbus.Signature('s')), dbus.Array([dbus.String('localhost')], signature=dbus.Signature('s')), dbus.Array([dbus.String('host/localhost@LOCALHOST')], signature=dbus.Signature('s')), dbus.Int64(9), dbus.Array([dbus.String('1.3.6.1.5.5.7.3.1')], signature=dbus.Signature('s')))
+(dbus.String('CN=$UUID,CN=Local Signing Authority'), dbus.String('$UUID'), dbus.String('CN=localhost'), dbus.Int64(tomorrow), dbus.Array([], signature=dbus.Signature('s')), dbus.Array([dbus.String('localhost')], signature=dbus.Signature('s')), dbus.Array([dbus.String('host/localhost@LOCALHOST')], signature=dbus.Signature('s')), dbus.Int64(9), dbus.Array([dbus.String('1.3.6.1.5.5.7.3.1')], signature=dbus.Signature('s')), dbus.Int64(recently))
[ /org/fedorahosted/certmonger/requests/Request2: org.fedorahosted.certmonger.request.get_cert_last_checked ]
recently
@@ -507,7 +506,6 @@ After setting template-eku to 1.2.3.4.5.6.7.8.9.10, we got dbus.Array([dbus.Stri
<node name="CA2"/>
<node name="CA3"/>
<node name="CA4"/>
- <node name="CA5"/>
</node>
[ /org/fedorahosted/certmonger/cas/CA1: org.freedesktop.DBus.Introspectable.Introspect ]
@@ -941,10 +939,10 @@ dbus.Array([], signature=dbus.Signature('s'))
</node>
[ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_config_file_path ]
-$tmpdir/cas/20180327134236-2
+$tmpdir/cas/20180327134236-3
[ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_nickname ]
-certmaster
+dogtag-ipa-renew-agent
[ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_is_default ]
0
@@ -956,7 +954,7 @@ EXTERNAL
None
[ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_location ]
-$libexecdir/certmaster-submit
+$libexecdir/dogtag-ipa-renew-agent-submit
[ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_issuer_names ]
dbus.Array([], signature=dbus.Signature('s'))
@@ -964,116 +962,3 @@ dbus.Array([], signature=dbus.Signature('s'))
[ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.refresh ]
1
-[ /org/fedorahosted/certmonger/cas/CA5: org.freedesktop.DBus.Introspectable.Introspect ]
-<!DOCTYPE node PUBLIC "-//freedesktop//DTD D-BUS Object Introspection 1.0//EN"
-"http://www.freedesktop.org/standards/dbus/1.0/introspect.dtd">
-
-<node name="/org/fedorahosted/certmonger/cas/CA5">
- <interface name="org.freedesktop.DBus.Introspectable">
- <method name="Introspect">
- <arg name="xml_data" type="s" direction="out"/>
- </method>
- </interface>
- <interface name="org.freedesktop.DBus.Properties">
- <method name="Get">
- <arg name="interface_name" type="s" direction="in"/>
- <arg name="property_name" type="s" direction="in"/>
- <arg name="value" type="v" direction="out"/>
- </method>
- <method name="Set">
- <arg name="interface_name" type="s" direction="in"/>
- <arg name="property_name" type="s" direction="in"/>
- <arg name="value" type="v" direction="in"/>
- </method>
- <method name="GetAll">
- <arg name="interface_name" type="s" direction="in"/>
- <arg name="props" type="a{sv}" direction="out"/>
- </method>
- <signal name="PropertiesChanged">
- <arg name="interface_name" type="s"/>
- <arg name="changed_properties" type="a{sv}"/>
- <arg name="invalidated_properties" type="as"/>
- </signal>
- </interface>
- <interface name="org.fedorahosted.certmonger.ca">
- <method name="get_config_file_path">
- <arg name="path" type="s" direction="out"/>
- </method>
- <method name="get_nickname">
- <arg name="nickname" type="s" direction="out"/>
- </method>
- <property name="nickname" type="s" access="read"/>
- <property name="aka" type="s" access="read"/>
- <method name="get_is_default">
- <arg name="default" type="b" direction="out"/>
- </method>
- <property name="is-default" type="b" access="readwrite"/>
- <method name="get_type">
- <arg name="type" type="s" direction="out"/>
- </method>
- <method name="get_serial">
- <arg name="serial_hex" type="s" direction="out"/>
- </method>
- <method name="get_location">
- <arg name="path" type="s" direction="out"/>
- </method>
- <property name="external-helper" type="s" access="readwrite"/>
- <method name="get_issuer_names">
- <arg name="names" type="as" direction="out"/>
- </method>
- <method name="refresh">
- <arg name="working" type="b" direction="out"/>
- </method>
- <property name="ca-error" type="s" access="read"/>
- <property name="issuer-names" type="as" access="read"/>
- <property name="root-certs" type="a(ss)" access="read"/>
- <property name="root-other-certs" type="a(ss)" access="read"/>
- <property name="other-certs" type="a(ss)" access="read"/>
- <property name="required-enroll-attributes" type="as" access="read"/>
- <property name="required-renew-attributes" type="as" access="read"/>
- <property name="supported-profiles" type="as" access="read"/>
- <property name="default-profile" type="s" access="read"/>
- <property name="root-cert-files" type="as" access="readwrite"/>
- <property name="root-other-cert-files" type="as" access="readwrite"/>
- <property name="other-cert-files" type="as" access="readwrite"/>
- <property name="root-cert-nssdbs" type="as" access="readwrite"/>
- <property name="root-other-cert-nssdbs" type="as" access="readwrite"/>
- <property name="other-cert-nssdbs" type="as" access="readwrite"/>
- <property name="ca-presave-command" type="s" access="read"/>
- <property name="ca-presave-uid" type="s" access="read"/>
- <property name="ca-postsave-command" type="s" access="read"/>
- <property name="ca-postsave-uid" type="s" access="read"/>
- <property name="scep-cipher" type="s" access="readwrite"/>
- <property name="scep-digest" type="s" access="readwrite"/>
- <property name="scep-ca-identifier" type="s" access="readwrite"/>
- <property name="scep-ca-capabilities" type="as" access="read"/>
- <property name="scep-ra-cert" type="s" access="read"/>
- <property name="scep-ca-cert" type="s" access="read"/>
- <property name="scep-other-certs" type="s" access="read"/>
- </interface>
-</node>
-
-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_config_file_path ]
-$tmpdir/cas/20180327134236-3
-
-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_nickname ]
-dogtag-ipa-renew-agent
-
-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_is_default ]
-0
-
-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_type ]
-EXTERNAL
-
-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_serial ]
-None
-
-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_location ]
-$libexecdir/dogtag-ipa-renew-agent-submit
-
-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_issuer_names ]
-dbus.Array([], signature=dbus.Signature('s'))
-
-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.refresh ]
-1
-
--
2.31.1

19
SPECS/certmonger.spec
View File

@ -27,8 +27,8 @@
%bcond_with xmlrpc
Name: certmonger
Version: 0.79.14
Release: 7%{?dist}
Version: 0.79.17
Release: 1%{?dist}
Summary: Certificate status monitor and PKI enrollment client
License: GPLv3+
@ -36,18 +36,6 @@ URL: http://pagure.io/certmonger/
Source0: http://releases.pagure.org/certmonger/certmonger-%{version}.tar.gz
#Source1: http://releases.pagure.org/certmonger/certmonger-%%{version}.tar.gz.sig
Patch0002: 0002-candidate-openssl-3.0-compat-fixes.patch
Patch0004: 0004-Add-compile-check-for-EVP_PKEY_get_id-along-with-EVP.patch
Patch0005: 0005-Add-SCEP-config-option-to-treat-the-challenge-passwo.patch
Patch0006: 0006-Fix-file-descriptor-leak-when-executing-CA-helpers.patch
Patch0007: 0007-Update-csrgen-test-to-understand-OpenSSL-3.0.0-outpu.patch
Patch0008: 0008-Use-implicit-empty-FALSE-for-extensions.patch
Patch0009: 0009-Use-extensions-template-from-NSS.patch
Patch0010: 0010-Add-a-PEM-validity-checker-and-validate-SCEP-CA-file.patch
Patch0011: 0011-Fix-implicit-declaration-of-function-PEM_read_bio_X5.patch
Patch0012: 0012-Remove-dependency-on-SHA-1.patch
Patch0013: 0013-Disable-DSA-in-the-RPM-spec.patch
BuildRequires: autoconf
BuildRequires: automake
@ -278,6 +266,9 @@ exit 0
%endif
%changelog
* Tue Dec 6 2022 Rob Crittenden <rcritten@redhat.com> - 0.79.17-1
- Update to upstream 0.79.17
* Thu Apr 07 2022 Rob Crittenden <rcritten@redhat.com> - 0.79.14-7
- Disable DSA (#2066439)